------------------------
Amiga Virus Encyclopedia
XFD infiltrator Virus
------------------------
-----------------------------------------------------------------------
Entry...............: XFD infiltrator
Alias(es)...........: -
Virus Strain........: -
Virus detected when.: ?
where.: ?
Classification......: Boot and file virus, memory-resident, not
reset-resident
Length of Virus.....: 1. Length on storage medium: BB = 1024 Bytes
"LIBS:xfd/r" = 1148 Bytes
2. Length in RAM: 2048 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release..: V37+
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: none
Type of infection...:
Self-identification method in memory:
- none!
System infection:
- infects the following function: Exec/DoIO()
- creates file LIBS:xfd/r to be activated
on xfd.library open!
Infection preconditions:
- disk inserted and it didn't crash due to lack
of free memory :)
Infection Trigger...: - booting from infected disk
- having LIBS:xfd/r file installed
Storage media affected:
LIBS:xfd, trackdisk bootblocks
Interrupts hooked...: None
Damage..............: Permanent damage:
- none
Transient damage:
- none
Damage Trigger......: Permanent damage:
- none
Transient damage:
- none
Particularities.....: This strange thing has "poly-engine"!
Easy EOR stuff is used. There are four
versions of each decoder block and decoder
length is static, always 64 bytes long...
This bootvirus has alos stealth. I've seen such
somewhere, but I'm too Young to remember
bootblock viruses anyway :)
This small virus has even retro - it mannipulates
with negOffset of exec library...
The virus doesn't destroy bigger bootblocks
or overwrite itself (somekind of selfrecog)...
And the most interesting thing is dropping
of file with virus to LIBS:xfd/r...
I haven't seen such an idea before.
Similarities........: All bootblock viruses from ancient times :)
But it isn't another SCA clone - this virus
has some very unique features that made it
really interesting to me.
Stealth.............: Yes. Triggers installation of virus-file
at LIBS:XFD/r...
Stealth returns non-installed boot instead
of virus.
Armouring...........: Poly-engine described above.
Comments............: Age of this virus is unknown. Seems to be
totally harmless and it didn't spread.
xxxx said it was on CD from 1999. The virus must
be quite new as it aims at harddisk based
systems with the xfd drop and due to cache
awareness, but it doubt it is newer than 1997
when we have seen last boot virus (HNY98)...
--------------------- Acknowledgement ----------------------------------
Location............: Pawlowice, Poland 2002
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 2002
Information Source..: Analyze of virus and source code
Copyright...........: This documentation is public domain
===================== End of XFD infiltrator virus =====================
